ESX/ESXi supports one-way CHAP for all types of iSCSI initiators, and mutual CHAP for software and dependent hardware iSCSI.

Before configuring CHAP, check whether CHAP is enabled at the iSCSI storage system and check the CHAP authentication method the system supports. If CHAP is enabled, enable it for your initiators, making sure that the CHAP authentication credentials match the credentials on the iSCSI storage.

ESX/ESXi supports the following CHAP authentication methods:

One-way CHAP

In one-way CHAP authentication, also called unidirectional, the target authenticates the initiator, but the initiator does not authenticate the target.

Mutual CHAP

In mutual CHAP authentication, also called bidirectional, an additional level of security enables the initiator to authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters only.

For software and dependent hardware iSCSI adapters, you can set one-way CHAP and mutual CHAP for each initiator or at the target level. Hardware iSCSI supports CHAP only at the initiator level.

When you set the CHAP parameters, specify a security level for CHAP.

Note

When you specify the CHAP security level, how the storage array responds depends on the array’s CHAP implementation and is vendor specific. For example, when you select Use CHAP unless prohibited by target, some storage arrays use CHAP in response, while others do not. For information on CHAP authentication behavior in different initiator and target configurations, consult the array documentation.

CHAP Security Level

CHAP Security Level

Description

Supported

Do not use CHAP

The host does not use CHAP authentication. Select this option to disable authentication if it is currently enabled.

Software iSCSI

Dependent hardware iSCSI

Independent hardware iSCSI

Do not use CHAP unless required by target

The host prefers a non-CHAP connection, but can use a CHAP connection if required by the target.

Software iSCSI

Dependent hardware iSCSI

Use CHAP unless prohibited by target

The host prefers CHAP, but can use non-CHAP connections if the target does not support CHAP.